BSidesLA talk where I explore methods of dumping active directory password
hashes from a domain controller by using the Volume Shadow Copy Service or
direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a
running DC.

I give a history of old methods and detail new methods and ideas for
detecting them.